CISA orders federal agencies to secure Internet-exposed network devices

CISA issued this year's first binding operational directive (BOD) ordering federal civilian agencies to secure misconfigured or Internet-exposed networking equipment within 14 days of discovery.

The cybersecurity agency's Binding Operational Directive 23-02 applies to networked devices with Internet-exposed management interfaces (e.g., routers, firewalls, proxies, and load balancers) that grant authorized users the necessary access for performing network administrative duties. 

"The Directive requires federal civilian executive branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices," CISA said.

"Agencies must be prepared to remove identified networked management interfaces from exposure to the internet, or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself," the agency added.

As outlined in BOD 23-02, federal agencies have 14 days from either receiving notification from CISA or independently discovering a networked management interface falling under the scope of the directive to take one of the following actions:

1. Restrict access to the networking equipment's interface to the internal network, with CISA recommending using an isolated management network.
2. Implement Zero Trust measures to enforce access control to the interface via a policy enforcement point separate from the interface itself (the preferred course of action).

CISA says it will conduct scans to identify devices and interfaces falling within the directive's scope and notify the agencies of its findings.

To facilitate the remediation process, CISA will provide federal agencies with technical expertise when needed or requested to review the status of specific devices and provide guidance on securing devices.

FCEB agencies will also have access to a dedicated reporting interface and standardized templates for remediation plans in cases where the required timeframe for remediation efforts is exceeded.

Within six months and annually after that, CISA will compile and submit a report on FCEB BOD 23-02 compliance status to both the Director of the Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS).

Furthermore, within two years, CISA will update the directive to accommodate changes in the cybersecurity landscape and revise the implementation guidance provided to help agencies effectively identify, monitor, and report networked management interfaces they employ. 

In March, CISA also announced that it would warn critical infrastructure organizations of ransomware-vulnerable devices on their network to help them block ransomware attacks as part of a new Ransomware Vulnerability Warning Pilot (RVWP) program.